C Certs Club
Home
Oracle SAP Microsoft Cisco CompTIA Fortinet Salesforce Nutanix Linux Foundation Amazon View All Vendors →
Login Register

ISC2 CSSLP - ISC2 Certified Secure Software Lifecycle Professional Certification Exam

Download Exam View Entire Exam
Page: 1 / 2
Question #1 (Topic: Demo Questions)

You work as a Network Auditor for Net Perfect Inc. The company has a Windows-based network. While auditing the company's network, you are facing problems in searching the faults and other entities that belong to it. Which of the following risks may occur due to the existence of these problems?

A.
Residual risk
B.
Secondary risk 
C.
Detection risk 
D.
Inherent risk
Correct Answer: C
Explanation:
Detection risks are the risks that an auditor will not be able to find what they are looking to detect.
Hence, it becomes tedious to report
negative results when material conditions (faults) actually exist. Detection risk includes two types of
risk:
Sampling risk: This risk occurs when an auditor falsely accepts or erroneously rejects an audit
sample.
Nonsampling risk: This risk occurs when an auditor fails to detect a condition because of not applying
the appropriate procedure or
using procedures inconsistent with the audit objectives (detection faults).
Answer A is incorrect. Residual risk is the risk or danger of an action or an event, a method or a
(technical) process that, although being
abreast with science, still conceives these dangers, even if all theoretically possible safety measures
would be applied (scientifically
conceivable measures).
The formula to calculate residual risk is (inherent risk) x (control risk) where inherent risk is (threats
vulnerability). In the economic context,
residual means "the quantity left over at the end of a process; a remainder".
Answer D is incorrect. Inherent risk, in auditing, is the risk that the account or section being audited
is materially misstated without
considering internal controls due to error or fraud. The assessment of inherent risk depends on the
professional judgment of the auditor, and
it is done after assessing the business environment of the entity being audited.
Answer B is incorrect. A secondary risk is a risk that arises as a straight consequence of implementing
a risk response. The secondary
risk is an outcome of dealing with the original risk. Secondary risks are not as rigorous or important
as primary risks, but can turn out to be so if not estimated and planned properly.

Question #2 (Topic: Demo Questions)

Which of the following statements reflect the ' Code of Ethics Canons ' in the ' (ISC)2 Code of Ethics ' ? Each correct answer represents a complete solution. Choose all that apply.

A.
Act honorably, honestly, justly, responsibly, and legally.
B.
Give guidance for resolving good versus good and bad versus bad dilemmas.
C.
Provide diligent and competent service to principals.
D.
Protect society, the commonwealth, and the infrastructure.
Correct Answer: A, C, D
Explanation:
The Code of Ethics Canons in (ISC)2 code of ethics are as follows: Protect society, the commonwealth, and the infrastructure. Act honorably, honestly, justly, responsibly, and legally. Provide diligent and competent service to principals. Advance and protect the profession.
Question #3 (Topic: Demo Questions)

Which of the following security design principles supports comprehensive and simple design and implementation of protection mechanisms, so that an unintended access path does not exist or can be readily identified and eliminated?

A.
Least privilege
B.
Economy of mechanism
C.
Psychological acceptability
D.
Separation of duties
Correct Answer: B
Explanation:
The economy of mechanism is a security design principle, which supports simple and comprehensive design and implementation of protection mechanisms, so that an unintended access path does not exist or can be readily identified and eliminated. Answer: D is incorrect. Separation of duties defines that the completion of a specific sensitivity activity or access to sensitive object depends on the satisfaction of multiple conditions. Answer: C is incorrect. Psychological acceptability defines the ease of use and intuitiveness of the user interface that controls and interacts with the access control mechanisms. Answer: A is incorrect. Least privilege maintains that an individual, process, or other type of entity should be given the minimum privileges and resources for the minimum period of time required to complete a task.
Question #4 (Topic: Demo Questions)

Mark is the project manager of the NHQ project in StarTech Inc. The project has an asset valued at $195,000 and is subjected to an exposure factor of 35 percent. What will be the Single Loss Expectancy of the project?

A.
$68,250
B.
$92,600
C.
$72,650
D.
$67,250
Correct Answer: A
Explanation:
The Single Loss Expectancy (SLE) of this project will be $68,250. Single Loss Expectancy is a term related to Risk Management and Risk Assessment. It can be defined as the monetary value expected from the occurrence of a risk on an asset. It is mathematically expressed as follows: Single Loss Expectancy (SLE) = Asset Value (AV) * Exposure Factor (EF) where the Exposure Factor is represented in the impact of the risk over the asset, or percentage of asset lost. As an example, if the Asset Value is reduced two thirds, the exposure factor value is .66. If the asset is completely lost, the Exposure Factor is 1.0. The result is a monetary value in the same unit as the Single Loss Expectancy is expressed. Here, it is as follows:
SLE = Asset Value * Exposure Factor
= 195,000 * 0.35
= $68,250
Answer: B, C, and D are incorrect. These are not valid SLE ' s for this project.
Question #5 (Topic: Demo Questions)

Which of the following tiers addresses risks from an information system perspective?

A.
Tier 0
B.
Tier 3
C.
Tier 2
D.
Tier 1
Next Question
Correct Answer: B
Explanation:
The information system level is the tier 3. It addresses risks from an information system perspective, and is guided by the risk decisions at tiers 1 and 2. Risk decisions at tiers 1 and 2 impact the ultimate selection and deployment of requisite safeguards. This also has an impact on the countermeasures at the information system level. The RMF primarily operates at tier3 but it can also have interactions at tiers 1 and 2. Answer: A is incorrect. It is an invalid Tier description. Answer: D is incorrect. The Organization Level is the Tier 1, and it addresses risks from an organizational perspective. Answer: C is incorrect. The mission and business process level is the Tier 2, and it addresses risks from the mission and business process perspective.